Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Configuring sudo

Configuring sudo

Publication Date: 22 Mar 2023

1 Environment

 

This document applies to the following products and product versions:

  • SUSE Linux Enterprise Server 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Server for SAP Applications 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise High Availability Extension 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise High Performance Computing 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Desktop 15 SP3, 15 SP2, 15 SP1, 15 GA

  • SUSE Linux Enterprise Real Time 15 SP3, 15 SP2, 15 SP1, 15 GA

2 Introduction

 

The following article explains how sudo can be configured to your needs.

2.1 sudoers configuration files

 

The main policy configuration file for sudo is /etc/sudoers. Additionally, sudo reads in files from the /etc/sudoers.d/ directory.

Note
Note: Ignored files in /etc/sudoers.d

The #includedir directive in /etc/sudoers ignores files that end with the ~ (tilde) character or contain the . (dot) character.

Keep in mind that the /etc/sudoers file is supplied by the system packages. Any changes made directly in the file may break updates. Therefore, it is recommended to put your custom configuration in a file in the /etc/sudoers.d/ directory. Use the following command to create or edit a file: 

sudo visudo -f /etc/sudoers.d/NAME
Note
Note

As it is possible to lock yourself out of the system if the file is malformed, it is strongly recommended to use visudo for editing. It prevents editing conflicts and checks for syntax errors before saving the modifications.

2.2 Basic sudoers configuration syntax

 

The sudoers configuration files contain two types of options: strings and flags. While strings can contain any value, flags can be turned either ON or OFF. The most important syntax constructs for sudoers configuration files are as follows: 

# Everything on a line after # is ignored 1
Defaults !insults # Disable the insults flag 2
Defaults env_keep += "DISPLAY HOME" # Add DISPLAY and HOME to env_keep
tux ALL = NOPASSWD: /usr/bin/frobnicate, PASSWD: /usr/bin/journalctl 3

1

There are two exceptions: #include and #includedir are regular commands.

2

Remove the ! character to set the flag to ON.

3

See Section 2.3, “Basic sudoers rules”.

Useful flags and options
 
targetpw

This flag controls whether the invoking user is required to enter the password of the target user (ON) (for example root) or the invoking user (OFF). 

Defaults targetpw # Turn targetpw flag ON
rootpw

If set, sudo prompts for the root password. The default is OFF. 

Defaults !rootpw # Turn rootpw flag OFF
env_reset

If set, sudo constructs a minimal environment with TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME, and SUDO_*. Additionally, variables listed in env_keep are imported from the calling environment. The default is ON. 

Defaults env_reset # Turn env_reset flag ON
env_keep

List of environment variables to keep when the env_reset flag is ON. 

# Set env_keep to contain EDITOR and PROMPT
Defaults env_keep = "EDITOR PROMPT"
Defaults env_keep += "JRE_HOME" # Add JRE_HOME
Defaults env_keep -= "JRE_HOME" # Remove JRE_HOME
env_delete

List of environment variables to remove when the env_reset flag is OFF. 

# Set env_delete to contain EDITOR and PROMPT
Defaults env_delete = "EDITOR PROMPT"
Defaults env_delete += "JRE_HOME" # Add JRE_HOME
Defaults env_delete -= "JRE_HOME" # Remove JRE_HOME

The Defaults token can also be used to create aliases for a collection of users, hosts, and commands. Furthermore, it is possible to apply an option only to a specific set of users.

For detailed information about the /etc/sudoers configuration file, consult man 5 sudoers.

2.3 Basic sudoers rules

 

Each rule follows the following scheme ([] marks optional parts): 

#Who      Where         As whom      Tag                What
User_List Host_List = [(User_List)] [NOPASSWD:|PASSWD:] Cmnd_List
sudoers rule syntax
 
User_List

One or several (separated by comma) identifiers: either a user name, a group in the format %GROUPNAME, or a user ID in the format #UID. Negation can be specified with the ! prefix.

Host_List

One or several (separated by comma) identifiers: either a (fully qualified) host name or an IP address. Negation can be specified with the ! prefix. ALL is a common choice for Host_List.

NOPASSWD:|PASSWD:

The user is not prompted for a password when running commands matching Cmd_List after NOPASSWD:.

PASSWD is the default. It only needs to be specified when both PASSWD and NOPASSWD are on the same line: 

tux ALL = PASSWD: /usr/bin/foo, NOPASSWD: /usr/bin/bar
Cmnd_List

One or several (separated by comma) specifiers: A path to an executable, followed by an optional allowed argument. 

/usr/bin/foo     # Anything allowed
/usr/bin/foo bar # Only "/usr/bin/foo bar" allowed
/usr/bin/foo ""  # No arguments allowed

ALL can be used as User_List, Host_List, and Cmnd_List.

A rule that allows tux to run all commands as root without entering a password: 

tux ALL = NOPASSWD:
    ALL

A rule that allows tux to run systemctl restart apache2: 

tux ALL = /usr/bin/systemctl restart apache

A rule that allows tux to run wall as admin with no arguments: 

tux ALL = (admin) /usr/bin/wall ""
Warning
Warning: Unsafe rules

Do not use rules like ALL ALL = ALL without Defaults targetpw. Otherwise anyone can run commands as root.

3 Requirements

 

To use sudo, you need to have the sudo package installed which is usually available by default on SUSE ALP MicroSUSE ALP Bedrock.

4 Editing the configuration files

 

For more information on the visudo command, run man 8 visudo.

5 Setting another editor

 

You can use another editor instead of vi:

For this, set the EDITOR environment variable respectively, for example: 

sudo EDITOR=/usr/bin/nano visudo